THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting - PowerPoint PPT Presentation

THANK YOU La Fin @VK_Intel :)

Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach & 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations

~whoami Vitali Kremez is a well-known ethical hacker. His cybercrime and nation-state research and discoveries led to his direct name appearing in the malware linked to the Russian nation- state group known as " APT28 ," which is believed to the military operation led by the Russian GRU after his blog revealing one particular group malware. Moreover, his name oftentimes appears in various malware families from Maze to Medusa ransomware as cybercrime tribute to him by the criminal actors who closely watch and acknowledge his research. Executive & Strategic Advisor 
 Personal blog : vkremez.com Twitter : @VK_Intel

Cybercrime Trends (2020) • Sophisticated criminal enterprises such as TrickBot & QakBot & TA505 - focused on parsing and identifying high-value targets (HVT) • Cybercrime Meets APT • Ransomhacks to Amplify Extortions • Big botnet data collectors necessitate scalable solutions to identify high-value targets (corporate networks with local domains) versus “useless” infections • Simple idea: Squeeze as £ / € / $ value from your bots as possible • Banking Malware • Credential Stealer • Miner • Ransomware! Reference: “Charting the Next Cybercrime Frontier https://www.youtube.com/watch?v=ptL0aTYzRfM

Father of Crimeware: Slavik • P2PZeuS group refer to themselves as “Business Club" • They target wholesale banking globally • Fraud amounts are much higher • Networks of fake companies are used as mule accounts • Build a new attack model: Hybrid attack • “ Business Club ” also introduces CryptoLocker • First real ransomware

Hunting for High-Value Targets: Network Parsing & High-Value Targets

Automated Malware + Interactive Human Exploitation Operator Emotet (Loader for Installs) -> TrickBot -> Ryuk Ransomware (via PowerShell Empire/Cobalt Strike) …Network & Active Directory Parsing!…. Reference: “Charting the Next Cybercrime Frontier, or Evolution of Criminal Intent https://www.youtube.com/watch?v=ptL0aTYzRfM 
 Credit: Ryuk image (https://nogiartshop.com/products/ryuk)

TrickBot -> Ryuk in the Cloud: CloudJumper MSP Intrusion • $5 Billion Extortion Amount in Total (!) Reference: https://twitter.com/barton_paul/status/1127088679132987394

DoppelPaymer Ransomware Attack: PEMEX Intrusion  • 565 Bitcoins Extortion • Victim Note via Portal Link on Tor 


Clop Ransomware Attack: Rouen University Hospital France • Analysis: .cIop • Targeted Attack (Linked to TA505) 


Underground Infrastructures for Monetizing Corporate Breaches ACCESS TO CORPORATE NETWORK Access-as-a-commodity Access-as-a-service Hackers specializing in If the network access is Access owners offer network vulnerabilities not sold directly, other hackers to upload obtain access through intermediaries offer their malicious files compromised RDPs, specific files or (primarily ransomware), credential stealers or financial databases or establish secure botnets. Most often, provide access to the access for one session, these accesses are segments of the or offer to use the sold directly on the compromised network to disseminate darkweb environment to malware via spam or manipulate it bots

2. APT Approach & Ransomware (TrickBot & “Lazarus” Angle)

The “Anchor” Mystery

The “Anchor” Mystery: The North Korean “Lazarus” APT

The North Korean “Lazarus” APT Angle: Chilean Redbanc Intrusion

III. Ransomhacks (REvil & Maze Publicizing Leaks)

MAZE Ransomware: Leak Portal Victim Shaming

Big Shift - Legal Framework - GDPR: REvil Ransomware GDPR Implemented on May 25, 2018. Instead of encrypting the files, the extortionists threatened to publish them. REvil Exploits the GDPR • December 2019 REvil claimed a recent ransomware attack against the CyrusOne data center.

Hunting Using YARA for Malware Developer Crypto Logic Implementation

YARA Hunting for Code Reuse • Malware developers work just like legitimate software developers, aiming to automate their work and reduce the time wasted on repetitive tasks wherever possible. • That means they create and reuse code across their malware (especially, crypto routines) • This has a pay-off for malware hunters: we can learn how to create search rules to detect this kind of code reuse, reducing our workload, too!

I. TrickBot Crypter Layer (since May 2019)

TrickBot Custom RC4 : YARA Implementation • TrickBot has utilized their own crypting service for some time now and it has been frequently updated over time. • The latest version utilizes RC4 with a twist and is also a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Source: https://zero2auto.com/2020/06/22/decrypting- trickbot-crypter/

TrickBot Custom RC4 : YARA Implementation • ror-13 API hash • RC4 key (with NULL terminator) • SBOX 0x184

TrickBot Custom RC4 : YARA Implementation rule TrickBot { meta: author = "jreaves" description = "TrickBot Crypter 2019/2020" strings: $snippet1 = {be ?? ?? ?? ?0 8d 7c 24 [1-2] f3 a5} $sbox_size = {be ?? ?? 00 00 f7 f6 [0-1] 81} condition: ($snippet1 and $sbox_size) }

TrickBot Custom RC4 : YARA Implementation • YARA scan for custom SBOX and key for automated static unpacker scripting

Netwalker Ransomware Crypto YARA Implementation Source: https://zero2auto.com/2020/05/19/netwalker-re/

Netwalker Ransomware Crypto YARA Implementation • two constant strings associated with SALSA20 or CHACHA20 encryption and following it is a dword value associated with hashing

Netwalker Ransomware Crypto YARA Implementation • content:”{657870616e6420 33322d62797465206b6578 70616e642031362d627974 65206b982f8a42}”

Netwalker Ransomware Crypto YARA Implementation rule NetWalker { strings: $crypto_implement = {657870616e642033322d62797465206b657870616e6 42031362d62797465206b982f8a42} condition: ($crypto_implement) }

Key Takeaways & Outlook • Automated Malware + Interactive Human Exploitation Operator -> Convergence of APT & Crimeware •Cybercrime Meets APT •Hunting Using YARA for Malware Developer Crypto Logic Implementation is the Key

Malware Course Author: “Zero2Automated” •Created a 10% off coupon the Confidence attendees (code is “REVERSING2020”) to enroll part of the course (courses.zero2auto.com) • Short Description : Developed for those looking to further enhance their skills in the Malware Analysis/Reverse Engineering field • Instructors : Vitali Kremez (@VK_Intel), Daniel Bunce (@0verfl0w_), Jason Reaves (@sysopfb)

THANK YOU La Fin